Locking down Windows XP/2000

[-=Dan=- ©]

Hi all,

I need to lock down a Windows XP standalone workstation, which is not a
member of a domain. I can't believe that there isn't a feature to apply
Local Policy's to certain users, and not the administrator! I've tried
putting 'deny' rights on the ini file for the Administrator, but then when I
lock down the machine so well, I can't remove the 'deny' when I want to make
a change!

I've tried 'Doug's Windows XP Security Console' but it doesn't give enough
options for locking down. Basically, the machine is going to be used by the
public, so I want them to login and be restricted to one webpage, and not be
able to do absolutely anything else except print. I'm sure this could be
done with a group policy if the machine was on a domain, but it's not going
to be.

Does anyone have any bright ideas?

TIA

Dan

 

[Kelly]

If Doug can't help you, good luck! Have you written him?

 

[David Candy]

There is some bullshit procedure where you can apply group policy to some users. But easier is to set the registry entries GP sets. They need to be applied to the user (NTUSER.DAT see Load Hive in Regedit's help).

http://msdn.microsoft.com/library/en-us/gp/gpref.asp

 

[-=Dan=- ©]

Thanks for the quick response! Doug has a new version coming out at the end
of this month I think, but I could really do with getting this done like
yesterday.

Ta

Dan

 

[Kelly]

Is true, he hasn't finished it yet; however, your best bet is to contact
him. As for yesterday, there is always tomorrow! )

 

[-=Dan=- ©]

Heheh, tell that to my boss who has already sold lots of the project that
I'm working on! :/

 

[Kelly]

I hear you and can do, send me his e-mail address! )

 

[-=Dan=- ©]

(e-mail address removed)

I hear you and can do, send me his e-mail address! )

 

[Kelly]

<LOL> Will try. <w>

 

[Phil G]

There is some bullshit procedure where you can apply group policy to
some users. But easier is to set the registry entries GP sets. They need
to be applied to the user (NTUSER.DAT see Load Hive in Regedit's help).

http://msdn.microsoft.com/library/en-us/gp/gpref.asp

I have successfully completed exactly what you want with windows 2000
professional. There were a few tricks I had to do to get this job
done. I am now working on a windows xp locked down machine that will
essentially do the same. Here is what my locked down 2000 machine
does (no login to domain needed)

Auto logs on to machine, User has nothing listed in the startup menu
nor do they have anything listed on their desktop, They can't right
click either. They can only use the quick launch bar to load up an MS
Access application which is also locked down. Internet explorer has
no address bar and is set to a default page. Has free excel viewer ,
visio viewer, word viewer so that the users can view all these types
of documents without having to have a license for office. I will be
writing this all up on how to do this in 2000 and xp very soon, no
tools needed. your administrator account is unaffected by any of
these lock down measures. If you would like to contact me via msn
messenger add me as a contact with support$hitstech.com of course the
$ is @.

have a good one.